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DETAILED ACTION 

1 . This office action is in response to the amendment filed on November 1 3, 2009. 

2. Claims 1 and 12-13 have been amended. 

3. Claims 1-10 and 12-17 are pending. 

EXAMINER'S AMENDMENT 

An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with Keith M. Baxter (Reg. No. 31 ,233) on 01/25/10. 

The application has been amended as follows: 

In the claims: 

Please cancel claims 4 and 5. 
With respect to claim 1 : 

A computer program stored on a computer readable hardware storage medium 
for identifying malicious portions in a suspect computer program comprising: 

a preprocessor portion for receiving the suspect computer program in 
executable form and creating a logically equivalent standardized version also in 
executable form of the suspect program without executing the suspect program, 
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the logical equivalent standardized version if executed providing an equivalent 
result as execution of the suspect computer program; 

a library of standardized malicious code portions; and 

a detector portion reviewing the standardized version against the library of 
malicious code portions to provide an output indicating when a malicious code 
portion is present in the suspect program 

wherein the standardized version maps instructions of the suspect 
program to corresponding standard synonym instructions; and 

wherein the standard synonym instructions are different in number from 
the instructions of the suspect program to which the synonym instructions map . 
With respect to claim 12 : 

A computer program stored on a computer readable hardware storage medium 
for identifying malicious portions in a suspect computer program comprising: 

a preprocessor portion for receiving the suspect computer program and creating 
a logically equivalent standardized version of the suspect program without executing the 
suspect program; 

a library of standardized malicious code portions; and 

a detector portion reviewing the standardized version against the library of 
malicious code portions to provide an output indicating when a malicious code portion is 
present in the suspect program; 

the computer program further including a library of patterns matching to one or 
more instructions of the suspect program and wherein the preprocessor creates the 
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standardized version by replacing instructions of the suspect program with matching 
patterns from onos of the library of patterns and wherein the library of standardized 
malicious code portions are also co lle ctions of on e s patterns of the library of patterns 

wherein a pattern is at least one instruction logically replacing at least one 
different instruction in the suspect program. 

With respect to claim 13 : 

A computer program stored on a computer readable hardware storage medium 
for identifying malicious portions in a suspect computer program comprising: 

a preprocessor portion for receiving the suspect computer program and creating 
a logically equivalent standardized version of the suspect program without executing the 
suspect program; 

a library of standardized malicious code portions; and 

a detector portion reviewing the standardized version against the library of 
malicious code portions to provide an output indicating when a malicious code portion is 
present in the suspect program; 

the computer program further including a library of patterns matching to one or 
more instructions of the suspect program and wherein the preprocessor creates the 
standardized version by replacing instructions of the suspect program with matching 
on e s of patterns from the library of patterns and wherein the library of standardized 
malicious code portions are also collections of onos of patterns from the library of 
patterns wherein a pattern is a tag replacing at least one instruction logically having no 
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substantive effect on the execution of the suspect program; and wherein the library of 
patterns is implemented as a look-up table matching instructions to the patterns. 
Allowable Subject Matter 

4. Claims 1 -3, 6-1 0, 1 2-1 7 are allowed. 

5. The following is an examiner's statement of reasons for allowance: The prior art 
on record Nachenberg (US 6,357,008) teaches a method of detecting computer viruses 
comprising three stages: a decryption phase, an exploration phase and an evaluation 
phase. A purpose of the decryption phase is to emulate sufficient number of instructions 
to allow an encrypted virus to decrypt its viral body. Nachenberg (US 6,851 ,057) 
teaches a virus detection system (VDS) for detecting the presence of a virus in a file 
having multiple entry points. The VDS includes a data file holding P-code instructions 
and a virus definition file containing virus signatures of known viruses. And a scanning 
module for scanning the memory addresses within the supplied range for signatures 
held in the virus definition file. An emulating module for setting up a virtual machine 
having a virtual preprocessor and an associated memory. The virtual machine uses the 
virtual preprocessor to execute code in the virtual memory in isolation from the reminder 
of the computer system. Schmall (US 7,069,589) teaches a method of detecting a class 
of viral code and a heuristic analyzer that analyzes the subject file and generates a set 
of lags along with statistical information. A search component that uses a set of flags 
with statistical information to perform a search for a scan string and/or a statement type 
in the subject file. A positive detection alarm is triggered if the scan string and/or 
statement is found at least a corresponding predetermined number times. 
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6. With respect to claim 1 : 

The prior art on record either taken singularly or in combination fails to teach the 
identifying malicious portion in a program specifically "a preprocessor portion 
creating a iogicaiiy equivalent standardized version also in executable form of the 
suspect program without executing the suspect program, the logical equivalent 
standardized version if executed providing an equivalent result as execution of 
the suspect computer program; a detector portion reviewing the standardized 
version against the library of malicious code portions to provide an output 
indicating when a malicious code portion is present in the suspect program 
wherein the standardized version maps instructions of the suspect program to 
corresponding standard synonym instructions; and wherein the standard 
synonym instructions are different in number from the instructions of the suspect 
program to which the synonym instructions map" including all the other limitations 
recited in the independent claim 1. 

With respect to claim 12: 

The prior art on record either taken singularly or in combination fails to teach the 
identifying malicious portion in a program specifically "a preprocessor portion for 
receiving the suspect computer program and creating a logically equivalent 
standardized version of the suspect program without executing the suspect 
program; a detector portion reviewing the standardized version against the 
library of malicious code portions to provide an output indicating when a 
malicious code portion is present in the suspect program; and wherein the 



Application/Control Number: 10/629,292 Page 7 

Art Unit: 2437 

preprocessor creates the standardized version by replacing instructions of the 
suspect program with matching patterns from library of patterns and wherein the 
library of standardized malicious code portions are also patterns of the library of 
patterns wherein a pattern is at least one instruction logically replacing at least 
one different instruction in the suspect program" including all the other limitations 
recited in the independent claim 12. 
With respect to claim 13: 

The prior art on record either taken singularly or in combination fails to teach the 
identifying malicious portion in a program specifically "a preprocessor portion for 
receiving the suspect computer program and creating a logically equivalent 
standardized version of the suspect program without executing the suspect 
program; a detector portion reviewing the standardized version against the 
library of malicious code portions to provide an output indicating when a 
malicious code portion is present in the suspect program; wherein the 
preprocessor creates the standardized version by replacing instructions of the 
suspect program with matching patterns from the library of patterns and wherein 
the library of standardized malicious code portions are also collections of 
patterns from the library of patterns wherein a pattern is a tag replacing at least 
one instruction logically having no substantive effect on the execution of the 
suspect program; and wherein the library of patterns is implemented as a look-up 
table matching instructions to the patterns." including all the other limitations recited 
in the independent claim 13. 
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7. Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SHEWAYE GELAGAY whose telephone number is 
(571)272-4219. The examiner can normally be reached on 8:00 am to 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Shewaye Gelagay/ 
Examiner, Art Unit 2437 



Application/Control Number: 10/629,292 Page 9 

Art Unit: 2437 
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Primary Examiner, Art Unit 2437 



